The ransomware crime wave: from paying up ourselves to making the hackers pay

The COVID-19 pandemic and the mounting evidence of global climate change have been competing for the title of theme of the year in 2021. If the virus subsides after the summer and we have a successful outcome to the COP26 climate summit in Glasgow in November, climate change action may yet make 2021 a significant historical turning point. Yet to my mind, were it not for these two mega-phenomena, 2021 would probably be remembered as the year of cyber insecurity. For in recent months we have been experiencing a different type of pandemic; this time of cyber-attacks and all manner of online scams, data breaches and extortions exploiting our new lifestyles in working from home and spending more of our waking hours hooked up to the internet.

As we have moved online so has the criminal fraternity with the result that losses to cybercrime are now running at $2.9mn a minute. The average cost of a data breach last year was $3.86mn and the average time to detect a breach was running at a staggering eight to nine months. The days when criminals had to do physical things like rob security vans at gunpoint, dig tunnels into bank vaults or sneak into cargo warehouses at ports and airports are fast coming to an end as electronic crime occupies an ever greater percentage of criminals’ ill-gotten gains. By 2025, cybercrime is expected to cost the world $10.5tn annually.

Ransomware, or the art of gaining access to someone’s network in order to encrypt his data and then demanding a hefty payment before unscrambling it, is fast becoming one of the most lucrative areas of cybercrime. Last year it accounted for some $25bn in health systems alone. The hackers do not need to go in search of potential buyers of stolen data, like credit card credentials or access passwords; they can extort the money directly from the victim who has every incentive to pay up to avoid lasting reputational damage and to be able to return quickly to normal business activity.

Ransomware attacks also target information and administration networks which are often more inter-connected, and thus vulnerable to penetration, than industrial operating technology. Last year the average ransom demanded was around half a million dollars. All these profits only make the ransomware wave worse as the hacker gangs can use their wealth to recruit the best cyber criminals and to acquire the technological savoir faire to carry out even more brazen and sophisticated attacks.

In recent weeks we have had three prominent examples of the growing menace of ransomware attacks. First was an intrusion by a cyber syndicate calling itself DarkSide into the management system of Colonial pipelines, which pumps fuel to gas station suppliers up and down the east coast of the United States. This led the pipeline to shut down for the best part of a week and US TV networks soon showed pictures of long queues of motorists desperate to fill up at those gas stations still open. Colonial paid a ransom of $4mn in bitcoins to have its data unlocked and to get the pipeline back up and running.

Next was a ransomware attack on the logistics and distribution software of JBS, a Brazilian meat packaging company which forms an important part of the US food supply chain. JBS paid another well-known criminal gang, REvil, a reported $11mn to regain control of its data. Then in the past few days the same criminal group breached the management software of a Miami-based company called Kaseya, which provides network management software for financial control and payment registration services to small and medium-sized companies. This allowed the hackers in a cascade fashion to gain control of the cloud services of 200 companies in 17 countries. Swedish shoppers were the first to experience the consequences when 800 Coop stores in the country had to close during the weekend because their cash tills were blocked. REvil began by demanding that individual companies pay between $45,000 and $5mn, according to size, to have their data released but then, given the large numbers of companies involved, decided to simplify matters by imposing a single $70mn ransom payment on Kaseya. As with the SolarWinds attack against 70 companies and 9 federal agencies in the United States last year, attributed to the Russian SVR foreign intelligence service, this was a supply chain attack that can sweep up in its web of victims organisations as diverse as schools, railways, energy suppliers and retailers in both the public and private sectors.

Both DarkSide and REvil are Russia-based cybercrime syndicates. Indeed some experts believe that 75% of ransomware attacks originate in Russia. This has long led to speculation that the Russian state is complicit in these attacks. The criminals could be state employees or intelligence operatives freelancing in their spare time, or recently retired state hackers taking their knowledge and skills with them into new, lucrative second careers. As long as they attack foreign targets, and particularly the adversaries of the Russian government, the state turns a blind eye.

Criminal groups also give Moscow the easy excuse of denial. When Estonia suffered a devastating 11-day cyber-attack on its online government services in 2007, Putin put the blame on ‘patriotic hackers’ beyond the control of the authorities. Faced with Western accusations of complicity, Moscow asks to see the evidence. In doing so, Russia is relying on a well-known principle of international law, known as the doctrine of effective control. Endorsed by the International Court of Justice in The Hague, it says that a state is only liable for activities organised on its territory if they are carried out with the state’s assistance or are wholly dependent on that support. This places the bar for evidence very high.

So we now need to move to a new doctrine which could be called the ‘doctrine of overall control’. This is similar to the adoption by the United Nations General Assembly in 2003 of the Responsibility to Protect, which affirms that a state has a duty to stop human rights abuses committed within its jurisdiction. State officials bear ‘command responsibility’ even if they themselves are not directly implicated in the abuses and violence against civilians because it is assumed that they have the power to know what is happening and to stop such acts.

Another precedent was the US decision to remove the Taliban regime in Afghanistan in 2001 after the terrorist attacks in New York and Washington. The US attributed the attacks to Al Qaeda but the Taliban had harboured this organisation and was thus treated as a co-conspirator in a decision endorsed in a UN Security Council resolution. If this principle were extended to cybercrime, victims would have the right to demand that states harbouring criminal hacking syndicates cooperate with investigations, extradite persistent criminal hackers who are legitimately indicted by foreign courts, and take action to freeze and return ransoms and other proceeds of cybercrime. Ending the impunity of rogue jurisdictions, as in Russia, where laws either do not exist or are ignored, would be a major step forward.

In sum, what we need is an international convention on cyber responsibility which establishes clear norms and standards. Ideally this should be in the form of a UN declaration or covenant approved by the General Assembly and endorsed in a Security Council resolution, as has been done in the past for human, political and cultural rights, the protection of women in conflict and the rights of the child, to give but a few examples. On this basis the UN could establish a cybercrime agency, perhaps co-located with Interpol in Lyon. This agency could advise countries on how to adapt their domestic laws to meet the norms and standards for fighting cybercrime. It could produce an annual index of cyber responsibility ranking countries in terms of their efforts to combat cybercrime and respect for the law, similar to what is done for corruption or tax avoidance. This would give companies a good idea of the risks and vulnerabilities associated with their foreign investments and business decisions. The agency could provide early warning of new attack vectors and methodologies, advice on vulnerability patching, and it could conduct investigations after criminal attacks and help to turn the spotlight on those states that refuse to cooperate fully. This could form the basis of sanctions that other states or organisations might wish to take against the crime havens until they clean up their act. A system of red or yellow notices, such as used by Interpol, could be introduced to arrest indicted hackers once they attempt to travel. UN agencies such as the International Atomic Energy Agency in Vienna or the Organisation for the Prohibition of Chemical Weapons in The Hague have a good record in terms of their technical expertise, investigative teams and ability to name and shame the violators of international norms. They would be a good model for a UN cybercrime agency.

This said, getting agreement in the UN on cyber issues has proved difficult in the past. A Group of Governmental Experts has been meeting off and on for years to draft a treaty on international internet governance and cyber security but has been held up by disputes between the Western countries and Russia and China over the definition of state sovereignty – and thus control – in cyberspace. Moreover, Interpol has been plagued by accusations of politicisation over what constitutes a crime and the misuse of Red Notices by some member states to go after their political opponents with trumped up charges. Debates in the UN International Telecommunications Union on common norms and standards have become bogged down; many developing countries with authoritarian or illiberal governments do not want the internet to be an open, multi-stakeholder system, beyond their control, any more than do China and Russia. India, for instance, imposed the longest internet blackout in history recently in Kashmir, lasting 15 months. China’s growing influence in UN agencies and committees where internet and cyber issues are discussed will make UN treaties and conventions in these areas even more difficult to achieve.

Consequently, the Western countries will undoubtedly need to pursue the path of ‘mini-lateralism’ for the immediate future and set up these types of policing arrangements among themselves in the hope that Western standards gradually become recognised as the international norm. This has certainly been the case recently with reductions in carbon emissions where Russia and China have also made pledges to meet certain targets closely following Western levels of ambition in order to appear as responsible global citizens.

There have been some encouraging steps. For instance, Europol has established a unit dealing with cybercrime, the EU has strengthened the powers of ENISA, its cyber security agency, and across the Atlantic the US National Security Agency and FBI are carrying out joint investigations with their European counterparts and issuing joint awareness-raising and analytical reports. Just this past week, for instance, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the National Security Agency and the United Kingdom’s National Cyber Security Centre produced a joint report on how Russian hackers were using brute force automated spray technologies to identify passwords giving access to Microsoft Office 365 cloud services. The hackers were exploiting an open source tool, Kubernetes, originally developed by Google. The lesson drawn was once again for system users to use stronger passwords and multifactor identification. Furthermore, working with its international partners, the FBI has secured the arrest of a number of cyber criminals accused of hacking into US infrastructure, government networks or the financial system, and who have been extradited to the US to face trial. These examples show that we are not defenceless against ransomware attacks and other types of cybercrime. Where there is the will, there is a way.

Yet there is certainly more that can be done.

One thing would be to insert into trade negotiations that the EU or other Western entities conduct with third countries provisions on the countering of cybercrime. Ideally these trading partners would undertake to sign up to the Budapest Convention on Cybercrime. This is an instrument adopted two decades ago by the Council of Europe which is now adhered to by over 50 countries. It provides for regular information exchange and harmonised standards, reporting and procedures for dealing with criminal activities. These trade agreements could also establish modalities and procedures for extraditions.

The transatlantic partners could also pursue a common agenda of law enforcement in international bodies such as the G20, which meets this autumn at summit level in Rome, and the WTO. The US and EU are keen on a reform of the WTO which has focused on the traditional trade in goods and products rather than 21st century trade in data and electronically delivered services. So, a strengthened WTO role and rules in addressing cybercrime with real teeth in WTO arbitration panels should be a core part of this reform agenda.

Interestingly, NATO at its recent summit decided to lower the bar for a collective NATO response against cyber-attacks. The allies agreed that ‘cumulative attacks’ as opposed to one massive and paralysing attack could achieve similar levels of economic or societal disruption and thereby trigger punitive rather than only recovery measures. The allies now need to decide if ‘cumulative’ indeed covers ransomware attacks against supermarket chains, rail networks, energy supplies and food distribution and commercially provided services rather than only government institutions. If so, what would be the minimum levels of attribution required and the playbook of graduated response options at NATO’s disposal for the alliance to be able to act collectively? No doubt, this will be clarified over time on a case-by-case basis and by trial and error; but it will be a useful indicator of the ability of the diplomatic and security community to break the link between organised cybercrime and state complicity and sponsorship.

A further step would be to go after the proceeds of crime. The FBI has shown the way by tracking down the bitcoins that Colonial pipelines paid to DarkSide. Around two-thirds of these were blocked and seized before they could be accessed by the hackers in Russia. This gave the lie to the common notion that anonymous crypto-currencies are untraceable and therefore the ideal cash flow option for criminals. Another good example goes back a decade when the Lazarus hacking syndicate in North Korea broke into the National Bank of Bangladesh and stole $96mn before the haemorrhage of money out of the bank was noticed. The New York Federal Reserve and FBI helped the Bangladesh authorities to track this money down to a casino in the Philippines where the North Koreans were attempting to launder the funds before transferring them to Pyongyang. Again, this excellent detective work deprived the criminals of the bulk of their ill-gotten gains.

This points to the need for an international body of financial investigators who would cooperate to trace and recover criminal profits. A good example is the Financial Action Task Force based in Paris which has performed sterling work in blocking the attempts of terrorist groups to raise and transfer funds, and their links to organised crime in areas such as narcotics, small arms, trafficking of cultural artefacts and counterfeit money. Again, exposing the modus operandi of the criminals and naming and shaming their protectors shines the spotlight on the networks that facilitate their activities.

Of course, the victims can help themselves too. Both the National Bank of Bangladesh and the Kaseya hacks occurred during public holiday weekends when key IT staff are absent and the guard is down. Commercial firms often have lax security, particularly when they have not (yet) been classified as critical national infrastructures, and often they have not backed up their data in reserve storage systems. After Estonia experienced its massive cyber-attack in 2007, it created a parallel storage site for its key national data in Luxembourg. Companies have not done effective risk management on their cyber vulnerabilities or have invested their cyber security budgets in the wrong things. The human factor is often the key vulnerability, particularly when it comes to phishing and social engineering attacks or inadequate security protocols. Finally, companies that fall victim to ransomware attacks may decide to hush things up and pay up to avoid embarrassment so that governments are slow to identify the extent of the damage to inter-connected networks. This suggests the need for a legal requirement for companies to report breaches to national cyber security authorities and cooperate with investigations.

A more delicate issue is whether companies should pay the ransoms. Governments tend to discourage payments in the case of hostage taking, although occasionally they do precisely this in secret to obtain the release of hostages later on. Of course, payment of ransoms can only encourage more criminals to get into the lucrative cybercrime business. Will insurers be prepared to cover these ransom payment risks and subject to which precautionary principles and measures of due diligence? We need answers to these questions so that business has a better grasp of its responsibilities and liabilities.

Finally, as the technology advances and the hackers become more clever and sophisticated, companies need more help from governments and particularly the military and intelligence communities to understand the threat and upgrade their defences. Unlike defence against the classic cyber penetration techniques, they can no longer do it all by themselves.  After the most recent ransomware attack on Kaseya, President Biden has pledged the help of the US law enforcement and intelligence agencies to investigate the breach and help Kaseya to clean up its networks. Biden recently handed to Putin in Geneva a list of 16 critical infrastructure infrastructures with a warning to Russia of robust US responses should Russia attempt to disrupt them.

There is a good precedent for the US to step in with government help for its commerce under attack. The US largely created its navy at the beginning of the 19th century to protect its trading vessels against the depredations of the Barbary pirates, and after Washington’s appeals to Morocco to reign in their activities had gone unheeded. Today governments in the UK and the US too are also giving their companies more upstream information and advice about cyber threats, helping them to improve their cyber hygiene. They also hold joint public-private sector exercises to help companies to improve their skills and procedures to mitigate the impact of cyber intrusions and to better grasp their risk landscape as well as test the robustness of their cyber defences.

To conclude: criminal activity is as old as humanity itself and the last criminal will no doubt die out with the last human beings. Criminals are good at identifying and exploiting our vulnerabilities. The COVID-19 age of IT dependency and more and more of human activity moving online and into electronic networks – that we do not understand and over which we have little oversight or control – give criminals enormous new opportunities. But if we cannot eliminate cybercrime, and indeed will be chasing it to catch up for some time to come, we can at least make it harder and less profitable for the criminals. Life for them has to become (almost) as uncomfortable as it is for their victims. Again where there’s a will, there’s a way.